All engagements with a customer are defined through a pre-engagement review where a scope of work is defined and agreed by both parties. This is not a chargeable activity.
The purpose of the audit is to review the end to end process of interaction with consumers (data subjects). To cover every interaction touch point and to document or review existing documentation on how these processes are managed and operated. It will also be necessary to ensure that all technology touch points and the overall architecture of the systems are compliant with the regulation. For example, software update patches are up to date and there is a process for ensuring this continues.
The audit needs to ensure that there is a central depository of documentation and an established basis for processing, along with a map of all data stored.
The role of PrimeConduct in an audit can extend from advisory and review all the way to full programme management and execution of the compliance plan.
If during an audit or by the obvious nature of the business activity a DPIA is required then a DPIA must be carried out and this will become clear from the initial pre-engagement activity. A DPIA is required where the amount of data processing activity controlled by the business is large and/or is the fundamental nature or purpose of the business. A DPIA analyses and delivers an assessment of the Privacy risks and possible impacts on Data Subjects rights and the negative consequences of failure to manage risk to the business. Depending on the size of the business a DPIA can take 2 to 5 days.
We can provide training to all departments from Sales to Finance to Marketing and Technology with focused and repeatable training guides delivered in a workshop environment. We can also offer updates to the Board on Board responsibilities, business impact, state of readiness and progress reporting. We emphasise the benefits of Compliance and focus on Privacy that builds Trust with the customers of the business. We can also provide a training package for HR to be delivered to new employees. Depending on the size of the company the full suite of training packages can be delivered in one to two days.
The purpose of the DPO is to establish effective data protection processes and good practise throughout an organisation, its subsidiaries and branches, ensuring compliance with the law, appropriate handling of personal data, and minimising the risk of fines or reputational damage.
PrimeConduct offers three levels of service which you can select based on how much help you require.
1. Premium Programme
2. Enhanced Programme
3. Standard Programme
Starting with the Pre-engagement review and an agreed scope, a programme plan would be developed and executed to ensure organisation wide compliance. The scope to be agreed with the business as well as the priorities for action which may for instance commence with the defined sensitive data from the regulation. Our consultant will advise and direct the execution teams to ensure the programme is delivered and to provide expertise where required. The purpose of this programme is to move the business to a fully compliant base from which the business can grow and move forward. Our consultant will work with the programme review board and executive sponsor.
In this case we would not be responsible for executing the compliance programme but we would assist in defining the scope and the plan for delivery of the compliance programme. We would recommend that in this case the customer should sign up to DPOaaS so that post implementation review can be carried out as part of the DPOaaS activity. Compliance programme setup will depend on the size and complexity of the business but we would expect this to take one to three days. Where the business is particularly complex we would highlight this during the pre-engagement review and scope definition.
This is largely an advisory programme for very small businesses. The purpose would be to help these businesses understand the breadth of their responsibility and the areas they should look at act on to become compliant. A structured document is walked through with the business owner alongside a 2 to 3 hour advisory session. This would cover issues around personal data, data collection, secure storage of data and privacy notices. If there is a website then this can be reviewed for compliance. The initial advisory session would be followed up at a later one hour session to review actions taken and progress made as well as to review documentation.